Unable to access internet after CARP HA configuration, but NAT working.

Started by 469, August 29, 2024, 12:48:25 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
August 29, 2024, 12:48:25 AM
Hi, im having issues being able to access the internet when CARP is set up. The way I see it it is more of a Virtual IP issue, not caused by CARP. Here are my firewalls' configurations:

Firewall 1:
WAN interface gateway: x.x.x.105/29 - static ip from ISP
WAN interface: x.x.x.106/29 - static ip from ISP
LAN interface: 192.168.1.5/24
Virtual WAN ip: x.x.x.254/29
Virtual LAN ip: 192.168.1.1/24
Pfsync: 10.0.0.1

Firewall 2:
WAN interface gateway: x.x.x.105/29 - static ip from ISP
WAN interface: x.x.x.107/29 - static ip from ISP
LAN interface: 192.168.1.6/24
Virtual WAN ip: x.x.x.254/29
Virtual LAN ip: 192.168.1.1/24
Pfsync: 10.0.0.2

NAT rule: WAN interface, source LAN net + all other vlan net, NAT address x.x.x.254 which is WAN VIP

With this setup, with my laptop plugged into the LAN port of firewall 1 (I havent set up a switch connecting the LAN ports from both firewalls if this is the issue) I am able to ping 192.168.1.5, the gateway obviously; 192.168.1.1, the LAN VIP; x.x.x.106, the WAN address; and x.x.x.254, the WAN VIP. However, I cannot access the internet while before, (without all the virtual ip and redundant firewall) I am able to.
Please let me know if I have messed up my configuration somehow. This is my first time attempting to setup CARP so any help would be greatly appreciated. Thank you!
July 08, 2025, 10:46:11 AM #1
Hello

did you manage to solve your problem?
I have the same situation and I still don't understand what the problem could be
July 08, 2025, 10:50:42 AM #2
Your CARP WAN IP should be in the same /29 subnet as all other addresses, IMHO.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
July 08, 2025, 10:53:45 AM #3
Quote from: Patrick M. Hausen on July 08, 2025, 10:50:42 AMYour CARP WAN IP should be in the same /29 subnet as all other addresses, IMHO.

Of course, this is true, we receive a /29 subnet from the provider that is completely ours.
October 14, 2025, 04:44:22 PM #4
Hi,

for this to work you need to connect the routers to a switch and connect the testing host also to this switch. The internet uplinks also needed to connect to a switch connected to the WAN.

Create an outbound NAT rule like this:
Interface - Source - Source Port - Destination - Destination Port - NAT Address - NAT port - Static Port
WAN - This Firewall - * - * - * - WAN address - * - NO - This is for Internet for the firewalls itself
WAN - ANY - * - * - * - WAN CARP VIP Address - * - NO - this forces the local internet traffic over the CARP internet Address

you have already got a LAN virtual CARP address so from this part you should have fail-over.
Print
Go Up Pages1
User actions